---
layout: docs
page_title: token capabilities - Command
description: |-
  The "token capabilities" command fetches the capabilities of a token for a
  given path.
---

> [!IMPORTANT]  
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.

# token capabilities

The `token capabilities` command fetches the capabilities of a token for a given
path.

If you pass a token value as an argument, this command uses the
`/sys/capabilities` endpoint and permission. In the absence of an explicit token
value, this command uses the `/sys/capabilities-self` endpoint and permission
with the locally authenticated token.

## Examples

List capabilities for the local token on the `secret/foo` path:

```shell-session
$ vault token capabilities secret/foo
read
```

The output shows the local token has read permission on the `secret/foo` path.

List capabilities for a token (`hvs.CAESI...WtiSW5mWUY`) on the `cubbyhole/foo`
path:

```shell-session
$ vault token capabilities hvs.CAESI...WtiSW5mWUY database/creds/readonly
deny
```

The output shows the token (`hvs.CAESI...WtiSW5mWUY`) has no permission to
operate on the `cubbyhole/foo` path.

## Usage

The following flags are available in addition to the [standard set of
flags](/vault/docs/commands) included on all commands.

### Output options

- `-format` `(string: "table")` - Print the output in the given format. Valid
  formats are "table", "json", or "yaml". This can also be specified via the
  `VAULT_FORMAT` environment variable.
